IT-Compliance FAQ

Nowadays, many business processes run digitally, which is why legislators are placing increasingly high demands on IT security. As a CMP provider, we offer software that will ensure that legal requirements are fulfilled and that these requirements are met. It is all the more important to us that all legal requirements are verifiably met, even with regard to our own IT structure. Therefore, we would like to clarify the most important questions regarding our IT compliance in the following.

We process two types of data:
Customer data = settings and login data
User Data = Consent Data (Consent ID, Consent Number, Time of Consent, Type of Consent (implicit or explicit), Opt-in or Opt-out, Banner Language, Customer Setting, Customer Setting Version, Template and Template Version) and Device Data (HTTP Agent, HTTP Referrer and Device ID)

The owner of the data is always the customer as the commissioning party (data controller). For processing according to the customer’s specifications, an order processing contract is always drawn up with Usercentrics (data processor)

For the purpose of hosting, Usercentrics uses the cloud server services provided by Google. (Google, Alphabet Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States or Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland for users from the EEA and Switzerland).

The processing and storage of customer and user consent data takes place in the Google Cloud. The processing entities are located in Frankfurt and the storage entities in Belgium. This includes the backups of the data, which also lie in the Google Cloud and within the EU.

Upon request of the customer, a data export can be arranged. In order to do so, the data is exported to Google Buckets (Google Cloud Storage). After verifying if the person is authorised to access the data, a link is generated specifically in order to download this data.

Data is deleted after a retention period of 12 months (latest status). Regardless of this period, a customer can request the deletion of the stored data at any time. Encrypted backup files in backups, however, remain unaffected by the above mentioned time frame in in order not to endanger the data integrity.

Access to customer data is managed by the customer him/herself. In addition, a restricted group of users receives administrative permission from Usercentrics, e.g. in order to be able to assist with support requests.

Authentication is always performed via user name and password. An additional two-factor authentication can be developed upon customer request. There are two variants for the login authentication: A Federated Login via Google or via the Auth0 authentication service.

The data transfer is carried out using HTTPS encryption (TLS 1.3). Data in idle mode is encrypted using AES256, with different codes used for each respective data packet.

The customer-specific Settings ID is used to logically separate data from different customers in the databases. Data from different categories is stored in separate databases with individual access keys.

In the event of a disruption, multi-stage automatisms intervene to restore the functionality of the system. If these mechanisms fail, an alarm message is forwarded to the next stage, which coordinates further measures.

Since the Usercentrics CMP runs via different services varying consequences can be expected depending on the type of system failure. For better visualization, we have outlined the possible scenarios: